Embedded dynamic alarm control system

ABSTRACT

A system and method of modeling, prediction, optimization and controlling an embedded alarm control having a plurality of independently controlled, manipulated variables, at least one controlled variables and one or more disturbance variables. The method includes determining simultaneously a set number of dynamic moves of the manipulated variables along with steady state values of the manipulated and controlled variables with steady state constraints relating to the manipulated and controlled variables as well as dynamic constraints relating to the manipulated and controlled variables including relating to the disturbance variables. Embedding alarm controls in the simultaneous dynamic control and steady state optimization with varying type of alarming situations and aiding operator in recovery actions. Performing a receding horizon form of control wherein the optimization and control is performed at successive time interval by monitoring and feedback of process responses resulting from the control actions applied at previous time intervals.

FEDERALLY SPONSORED RESEARCH

Not Applicable

SEQUENCE LISTING OR PROGRAM

Not Applicable

BACKGROUND

1. Field of Invention

This invention relates to what is generally known in the processindustry as alarm management problem. Process alarms are integral partof process operation in every type and size of operation ranging fromthe simplest of the process to the complex refinery operation involvingprocess alarms relating to tens of thousands if not more. Alarmmanagement is an important aspect of ensuring environmental, equipmentand personnel safety including product quality assurance. It pertains tothe very essence of operating a modern day plant operation. Therefore,it is not surprising to find that alarm management ranks the toppriority for the management in the entire chemical, refinery and otherprocess industry. The more integrated and the more complex a processoperation, the more demanding and challenging are the alarm managementproblem. The alarm management problem is invariably described in termsof “nuisance” alarms, “avalanche” of alarms, “flooding” of alarms etc.To redress these problems of alarm management, many approaches involvingwhat is generally known in the industry as rationalization of alarms,proper configuration of alarms at the distributed control system (DCS),good documentation, operator training and in-depth root cause analysisoff-line (post incidence) and on-line have been tried to a varyingdegree of success. Ironically, one of the common practice used is whatis generally know as “alarm suppression” in the event of a serious plantsituation to assist the operator in dealing with the problems at hand.On one hand this approach has validity whereas on the other hand it hasthe potential of suppressing an alarm or a group of alarm that mightcompromise safe operation and recovery. None of these various techniquesand their combination has solved the problem of alarm management in itsentirety. Everyone sees the problem with alarms but nobody knows how toapproach it. In every attempt to tackle this multi-faceted alarmmanagement problem, everyone is looking for a magic bullet, but none tobe found. The present invention offers an innovative basic tool whichhas the potential to provide_a basis for tackling thisotherwise_challenging problem area.

In almost all process operations, there is a process control system ofsome kind and there is an alarm system of some kind. Both these systemsinterrelate minimally. Alarm systems are considered strictly for safetyalbeit in a reactive and a rather too late condition whereas processcontrol system is considered primarily for control of process operationsas it relates to production of products. This is borne out from the factthat invariably when an unsafe operating condition arises in a plant,the advanced control system is taken off and the operator wouldintervene to bring the process back to safe condition. It is indeedironic that the advanced control system with all its model predictivecontrol capability as practiced in the prior art is not capable of alarmavoidance. Hereon the word alarm avoidance will be used strictly in themeaning of that is to keep alarm from happening or stay clear of alarm,and not suppressing. Therefore, in this invention alarm reduction issought by alarm avoidance other than by alarm suppression. In othermeaning, alarm avoidance herein means to prevent alarm limit violationsby other than suppression. As disclosed in this invention, thisshortcoming of the prior art advanced control system stems from the lackof inherent ability to perform what is described herein as dynamic modelpredictive control. A closer examination of the prior advanced levelcontrol system would reveal that there is no explicit consideration ofwhen and how to control a process so as to avoid alarms from happeningin the first place and secondly how to control a process so as to getout of or away from an alarm condition in an explicit and direct way.That is to prevent alarm violations in an explicit manner so as toaffect the control actions and also to move the process to a safecondition when required by the operator. That is to say, an advancedprocess control that can solve a multivariable optimization problem of alarge number of problems lacks a rudimentary capability to forestall analarm conditioning from happening. On the other hand, even moreelaborate and expensive alarm management system is incapable ofassisting an operator in dealing with a true unsafe operating condition.In attempt to make an alarm management system to assist an operatorunder unsafe operating condition, a separate system such as in the guiseof what is described in the industry as “intelligent” alarm managementsystem are increasingly being deployed with limited success. This resultin two systems each of immense complexity with minimal directinterconnections is given to the operator to control and manage theprocess with not much success.

The present invention offers a practical solution that would enable bothnormal process control and alarm management to be dealt in an integralmanner in which alarm control (as against alarm management) becomes acontrol problem albeit with different characteristics and requirementsthan the control actions pertinent to optimization and control ofproduction. Another way to state this is to say that the advancedcontrol system based on the present invention would ensure safeoperation of the unit no matter how hard the production is optimized.Doing so would enable the advanced control system to function as analarm-preventing tool as well as alarm management system while itcontrols the process optimally. Thus, incorporating alarm control wouldalleviate many aspects of the alarm management problem. For instance, asdisclosed later herein the invention offers a method whereby alarmreduction of up to 95-98 percent can be achieved that would eliminatethe need for “deviation alarms” entirely while improving thecontrollability of the process under alarm conditions.

2. Background of the Invention

Since its inception in early 1980, the basic formulation of ModelPredictive Control (MPC) has evolved as a bulwark of advanced controlinvolving multi-variables, involving a number of manipulated variables,a number of controlled variables and a number of feedforward/disturbance variables as disclosed in U.S. Pat. No. 4,349,869.In its basic design, the prior art MPC, the controlled variables arecontrolled to low/high limits. By design, in the prior art, a MPC wouldcertainly include safety related variables along with the productquality variables; for instance, it would have maximum skin temperaturefor a furnace or maximum reactor bed temperature for a reactor etc.However, due to the limitations of control actions, most of this safetyrelated variables limits are safe-sided for the obvious reason that theadvanced control system (ACS) is not capable of controlling the processto the limits reliably and robustly. Thus, the limits set in theadvanced control system are invariably safe-sided to provide anoperating safe margin. But, ironically, in many instances, unknown tothe operator, the advanced control system actions would set up theprocess vulnerable to violate the true limits either by effects of itsown actions or disturbance effects. Here there are two important issues,firstly the control limits used by the ACS are not the true limits andtherefore can not be reliably used except with safe-siding; secondlyeven the most advanced of ACS lack capability to control a process so asto avoid the limit violations dynamically. For these two reasons, it isunderstandable that in the prior art; the true limits are seldom used.This renders the ACS not relevant to either preventing the alarms oraffecting controls to get away from the violations once that happening.

Since MPC forms the bulwark of the advanced control in the industryhereon, we will use it to disclose the invention but not limiting to itin any way, however, what is disclosed herein is applicable to any otherforms of control as well. Those skilled in the art would appreciate thatthe issues, the problems and the solutions are equally relevant to othertypes of advanced control system lacking what is disclosed herein.

In the prior art, the alarm limits are not taken into account at allexcept by way of safe siding in setting the controlled variables limits.In many instances, due to lack of robustness and stable closedoperation, this safe siding from the true alarm limits is done purposelyto avoid the limit violation which then conflicts with the objective ofpushing the process to the production limits. This trade off betweenbeing able to be safe at all time and yet push the production to thelimits at all time is compromised, either too much safe siding is doneleading to inefficient operations or pushing the production too hard toexpose the process to unsafe operating conditions. Therefore asdisclosed herein later, in many instances, the prior art MPC would notperform optimally and robustly safely. In fact, as disclosed furtherherein, this safe siding from the alarm limit in itself does not reallyhelp, in fact in many instances it may hinder the controller ability torecover from the violation or in approach to it.

SUMMARY

A key problem with the prior art MPC is that they typically ignore thetrue alarm limits of the variables that could be used to control theprocess to avoid alarms from happening in the first instance andsecondly to control the process so as to recover from the alarmviolations.

An object of the present invention is to thus provide a system andmethod, which would explicitly incorporate alarm limits of the variablesto constrain both optimization and control actions and thussignificantly improve both the alarm avoidance and recovery from anyviolating alarm conditions. The objective of the present invention is todisclose a method of and a system of advanced control wherein thenumbers of alarms are significantly reduced while pushing the process toits maximum production limits.

BRIEF DESCRIPTION OF THE DRAWING

FIG. 1 is a block diagram of the Prior Art

FIG. 2 is a block diagram of the present invention

FIG. 3 is a block diagram illustrating Dynamic MPC with Embedded AlarmControls as per the present invention

FIG. 4 is illustration of dynamic violation of a controlled variablewith Embedded Alarm Limits

FIGS. 5 a, 5 b and 5 c are graphical representations of the presentinvention

FIG. 6 is a schematic of the DeButanizer Schematic Process Flow Diagram

FIG. 7 is Process Variables of DeButanizer Example

FIG. 8 a is a graphical representation of the Alarm Response with NotWell Designed and Tuned prior art MPC

FIG. 8 b is a graphical representation of the Alarm Response withImproved Controller Design and Tuning

FIG. 8 c is a graphical representation of the Alarm Response withImproved Controller Design and Tuning and Embedded Alarm Control

FIG. 8 d is a graphical representation of the Alarm Response with EDACSwith Embedded Alarm Control with Alarm Limits Tuned for Variable 4 & 5

FIG. 9 is a graphical representation of the Alarm Response with Not SoWell designed Prior Art MPC

FIG. 10 is a graphical representation of the Alarm Response with Welldesigned EDACS with Embedded Alarm Control

FIG. 11 is a block diagram of the Contextual Alarm Control

FIG. 12 a is a graphical representation of the As per Prior ArtRaw/Filtered Alarms

FIG. 12 b is a graphical representation of the As per Prior ArtRaw/Filtered Alarms Details

FIG. 13 is a graphical representation of the As per the presentinvention Raw/Filtered Alarms

DETAILED DESCRIPTION

U.S. patent application Ser. No. 11/999,056 (US Publication No.20080140227) titled Dynamic Model Predictive Control filed by thepresent inventor is hereby incorporated by reference in its entirety asthough fully and completely set forth herein.

The present invention relates to what is described herein as alarmcontrol system that would perform avoidance of alarm by predicting alarmviolations and determine corrective actions necessary to preventingalarm activations within and as part of advanced control system that isused for control and optimization of a process or processes. Thus, thealarm control system is termed as being embedded within the advancedcontrol system or also simply referred to as embedded alarm control.Therefore, in accordance with the present invention, alarm controlsystem is considered to be a particular characterization of controlrequiring its own considerations within the framework of what istypically done in the prior art for normal operation control andoptimization. This is a clear departure from the common practice in theprior art of having a separate alarm management system and a separateadvanced control system. In fact, a careful examination of the detailsrelating to the method of alarm management system and the advancedcontrol system used in the prior art would reveal that there is nodirect and explicit way of interrelating them so much so that when thealarms become active the advanced control system more often than not istaken off line.

In fact, in most process-upset situation, the operator would rely on thealarm management system to manage the process. In a metaphorical sense,typically alarm management system is not meant to provide alarm control;it is designed to assist the operator in the event of an alarm occurringor in the aftermath of loss of control of the process or in other words,assist the operator to make best of a bad situation. Whereas, themotivation of present invention is to act on incipient alarms, preventthem and when actually happen maintain the process integrity and providea significantly aggressive but stabilizing control actions from theadvanced control system so as to enhance the recovery to normaloperation safely and timely.

For the sake of exposition, only the specific details relating to theembedding of alarm control within the advanced control system isillustrated and discussed by way an exemplary description. Those skilledin the art would understand and know that the description would not belimiting the general and wider applicability of the invention.

FIG. 4 illustrates a simplified and exemplary view of a controlledvariable limit violation. As shown, the low/high control limits used inthe prior art MPC are typically set in consideration of the processlimitations. For most part, these control limits are set away from thetrue (alarm) limits for the reason of safe siding in the prior art asdisclosed earlier. These control limits are done at the onset ofcommissioning a MPC and perhaps revised now and again, but at no timethere is an explicit and direct relationship incorporated within theprior art MPC to connect the control limits used within it to the alarmlimits used by the DCS system.

It is interesting to examine further how a prior art MPC would respondto two dynamically violating situations as shown in FIG. 4. Both 305 and306 are shown as violating the high control limit 302, whereas 306 isshown as violating the high alarm limit as well. Both 305 and 306 ispredicted to attain the same steady state and hence the steady stateoptimization solution in both these two cases would be the same assumingeverything else being the same. However, the dynamic move calculationsin each case would be different. Although in the case of 306, withbigger violation it therefore would result in more aggressive controlaction from the prior art MPC as compared to the control actions for305. It would seem that this should be of no consequences. However inconsideration of the high alarm limit violation, it would seem that incase of 305 indeed there is no need for control move at all. Whereas inthe case of 306, clearly there is a need for control move to avoid thehigh alarm limit violation in future time. Since a prior art MPC doesnot include the alarm limits explicitly, instead in this case would usethe high control limit as the violating limit for dynamic control movedetermination resulting in a rather aggressive control move than what isreally warranted. Thus, for 306, although it would seem that the priorart MPC would take control actions rightly, however, the control movewould be more aggressive than what is really warranted with respect tothe high alarm limit violation. Hence in both these two cases, the priorart would be inappropriately aggressive. Therefore, even though thecontrol limits are set to provide safe siding, the manner in which theprior MPC can respond with its control actions contrary to the designcan cause the alarm limits to be violated if it is already in thevicinity or induce even further violations. This is a self contradictoryunexpected phenomena underlying the prior art MPC using the controllimits as depicted in FIG. 4.

It is interesting to note further that in response to such aggressive orunstable operation at or near control limits, often attempt is made todetune the controller precisely to counteract the unnecessary aggressivecontrol actions explained above. This detuning it would seem shouldhelp, however, once the process moves away from the control limits, thecontrol actions become sluggish in avoiding or preventing the violationnext time around. With these incompatible control actions, it is notsurprising that a prior art MPC does not work very well at or near thecontrol limits. It lacks the right kind of control actions just whenneeded. As would be disclosed herein further and the results presentedherein would show that the controller re-tuning is not the answer.Instead, the present invention offers a direct and explicit method ofcontrol that in fact incorporates precisely the control actions requiredto deal with the violating response at or near the alarm limits. Alarmviolation avoidance is not meant to suppress an alarm, instead to affectthe control actions so as to prevent the alarms incidence in the firstplace. By embedding alarm control limits explicitly within constrainedoptimization, the control actions that otherwise would have caused alarmincidence would be affected so as not to cause the alarm incidence.There will always be alarms that could simply not be avoided caused bythe measured/unmeasured disturbances, but the alarms that otherwisewould be caused could be avoided as per the present invention.

The proposed invention disclosed herein would reveal that suchincompatible control actions can be avoided and in turn theeffectiveness of the control actions can be made to be consistent withthe violating situations. Thus, the present invention proposes toovercome a serious deficiency of the prior art MPC in its design andfunctioning.

In accordance with the present invention, it is disclosed that a modelpredictive control incorporating an explicit dynamic optimization asdisclosed in a prior patent application (US Patent Publication No20080140227) by the present inventor be utilized in conjunction with theproposed method of control configuration disclosed herein. We will referto the prior invented method of dynamic optimization in a modelpredictive control as Dynamic Model Predictive Control or simply (DMPC)without loss of generality. The reference to DMPC is used as a means ofillustrating workings and set up of how to handle alarm limits. Thoseskilled in the art would appreciate that the disclosed method hereincould be incorporated in another suitable control system capable ofavoiding dynamic violation of controlled variables.

The basic requirement of operation of a process unit experiencing acontinual and prone to violating its alarm limits is to adjust thecontrol limits in a way that would prevent the alarm limits violationeither as a result of measured/unmeasured disturbances and thecontroller's own actions within the dynamic move calculation explicitlyand directly. The basic requirement in regard to alarm limit violationis that dynamically a controlled variable is more than likely to violatethe alarm limit at times either due to the process being pushed to itslimits or due to disturbance effects. In practice almost all, alarmingsystem utilize what is commonly known as dead band outside of theviolating limit to control alarm state. That is, every time a processvariable violates its alarm limit by a small amount, there is no realneed for initiating an alarm annunciation to the operator. Only when theviolation has crossed a certain dead band then only an alarm is raised.Thus, once a variable is violating its alarm limit outside of the deadband it remains in alarm state (though not necessarily on continuousannunciation). As the variable crosses back to the limit and is withinthe dead band the alarm state can be removed indicating that thevariable is recovering from the violation and therefore it need notconcern the operator. In the present invention, therefore, thedifference between the control limits and the alarm limits form the deadband referred above.

The present invention proposes to incorporate within its dynamic movecalculation in effect a method of compensation in anticipation of alarmlimit violation and the manner in which the alarms are typicallyannunciated and handled it so as to avoid the alarms to become active inthe first instance and in the event an alarm limit is predicted to beviolated then to compensate for it so that it would not occur at futuretime. The end result of this would be to decrease the incidence ofalarms significantly on one hand and on the other hand to provide forcontrolled recovery from the violation if the violation becomesunavoidable.

This requirement of the present invention necessitates that within thedynamic move calculation of the DMPC, the constraints for dynamic valueof the controlled variables be modified as disclosed further belowherein. In summary, the present invention proposes to use for each ofthe controlled variables a tuning factor that would increase or decreasethe control limits to move it closer or away from the alarm limits inaccordance with the size of the dead band desired. That is depicted inFIG. 5 a as internal dynamic alarm avoidance limits (307, 308).

The process 201 characterized in FIG. 3 can be a simple processinvolving one input variable and one output variable or a more complexprocess involving multiple input variables and multiple outputvariables. The problem of dynamic violation of the controlled variablesbecome much more difficult and challenging as the size of the processbecome large with the prior art MPC.

In FIG. 3, 213 constitutes what is described in the prior patentreferenced herein as Dynamic Model Predictive Control combining steadystate optimization and dynamic move calculation in one constrainedoptimization.

In FIG. 3, an improved control system is proposed in which the dynamicMPC is used in conjunction with the embedded alarm limits as proposed bythe present invention is shown.

It is assumed that the process is characterized by a set of variables,such as

M^(d) represents dynamic values of manipulated variables

C^(d) represents dynamic values of controlled variables

D^(d) represents dynamic values of disturbance variables,

M represents steady values of manipulated variables

C represents steady state values of controlled variables

D represents values of disturbance variables at initial time

At steady state, C=C^(d), M=M^(d)

Further, it is assumed that

there are m number of manipulated variables,

there are c number of controlled variables,

there are d number of disturbance variables.

The process 201 is considered to be a dynamic system, and the controlledvariables dynamic response is characterized by the following(C, C ^(d))=G(M ^(d) , D ^(d))  1Where G describes dynamic response of the controlled variables as (C,C^(d)) to a given set of dynamic moves in M^(d) and dynamic disturbancefuture changes in D^(d). (C, C^(d)) is considered to consist of steadystate response as C and dynamic response as C^(d). Of course, in thesteady state of the process C^(d) attains value of C. For the purpose offormulation, both C and C^(d) are considered as separate whereappropriate. In addition to variable M^(d), for the purpose of steadystate optimization, its steady state variable will be used as M. It isimportant to note that D^(d) is essentially considered as externalvariables not determined by the optimization solution but ratheraffecting it. For typical, MPC application, D^(d) relates to actualdynamic change as measured at the start of control cycle while for mostpart future dynamic changes in it considered to be unknown and hencezero. However, the formulation presented herein does permit a rathermore interesting case wherein the dynamic changes in D in future can beincluded as further disclosed under further embodiment of the presentinvention.

The object of the dynamic MPC with feed forward variables futuretrajectory as proposed by the present invention is to optimize anobjective function involving (C, C^(d), M, M^(d)) subject to a set ofconstraints relating to the variables (C, C^(d), M, M^(d)) with theprocess dynamics characterized by Eqn1 above, as stated below that wouldresult in determination of optimal value of (C, C^(d), M, M^(d)). Since,(C, C^(d)) being dependent variables, in essence the proposed dynamicoptimization yields (M, M^(d)) as the optimal solution.

As disclosed in the prior patent application by the inventor, thefollowing is incorporated herein for reference followed by the changesto the formulation pertinent to the present invention at the end of it.

The objective function, J is to be maximized as in a general form asbelow and as an exemplary form as in Eqn 2.J=F(M, C, D ^(d) , M ^(d) , C ^(d))+ΣΣP ^(l) _(c) C ^(l) +ΣΣP ^(h) _(c)C ^(h)  1.1where F is some optimizing function for the process over the timehorizon of time to steady state for the process. Thus, as formulatedabove, J is to be optimized in consideration of both steady state changeand pertinent dynamic moves determined by the optimization processdescribed further herein. However, in most practical applications, F(M,C, D^(d), M^(d), C^(d)) is really of form F(M, C, D), not includingdynamic variables. Those skilled in the art would appreciate that notincluding dynamic variables (M^(d), C^(d)) does not really impair theformulation presented here forth. Thus, hereon, we can assume theoptimizing function to be of form F(M, C, D) without loss of generality.

For the purpose of exposition but not limiting, a simple form of theoptimizing function will be followed hereon asJ=P _(m) M+P _(c) C+ΣΣP ^(l) _(c) C ^(l) +ΣΣP ^(h) _(c) C ^(h)  2Eqn 2 incorporates steady state optimization function and sum of allpenalty of all low/high dynamic violation of the controlled variables.It is understood that those skill in the art would anticipate thevarious alternate forms of F(M, C, D^(d), M^(d), C^(d)) that could beincorporated within the optimization process described herein. For thesake of exposition but not limiting, hereon G is considered to be alinear dynamic model of step response (discrete time) type commonly usedin model predictive control field. That is to say, using a discretecoefficient dynamic model for the process, the steady state value of thecontrolled variables is determined byC _(i) =C _(i) *+Σg _(i,j)(M _(j) −M _(j)*)+Σg _(i,l)(D _(l) −D _(j)*)And the dynamic value of the controlled variables is determined byC _(i) ^(k) =C _(i) ^(k) *+ΣΣg _(i,j) ^(k) ΔM _(j) ^(k) +ΣΣg _(i,l) ^(q)ΔD _(l) ^(q)Subject to:M ^(l) ≦M≦M ^(h)  2.1C ^(l) ≦C≦C ^(h)  2.2C _(i) =C _(i) *+Σg _(i,j)(M _(j) −M _(j)*)+Σg _(i,1)(D ₁ −D_(j)*)  2.2.1−ΔM _(j) ^(l) ≦ΔM _(j) ≦ΔM _(j) ^(h)  2.30≦ΔM _(j) ⁺ ≦ΔM _(j) ^(h)  2.3.10≦ΔM _(j) ⁻ ≦ΔM _(j) ^(l)  2.3.2ΔM _(j) =ΔM _(j) ⁺ −ΔM _(j) ⁻  2.3.3ΔM _(j) ^(l) =M _(j) ^(l) −M _(j)* where M_(j)* being Current Value ofM_(j)ΔM _(j) ^(k) =M _(j) ^(k) −M _(j) ^(k−l) for k=2 . . . k _(MV)  2.3.4ΔM _(j) ^(k)=0 for k=k _(MV)+1 . . . k _(CV)  2.3.5ΣΔM _(j) ^(k) =M _(j) −M _(j)*  2.3.6−θ≦C _(i) ^(k) −C ^(k ref) _(i) −C ^(h) _(i) +C ^(l) _(i)≦θ  2.40≦ C ^(h) _(i)  2.50≦ C ^(l) _(i)  2.6C _(i) ^(k) =C _(i) ^(k) *+ΣΣg _(i,j) ^(k) ΔM _(j) ^(k) +ΣΣg _(i,l) ^(q)ΔD _(l) ^(q)  2.7Where

M^(l) is low limit of the manipulated variables, M

M^(h) is low limit of the manipulated variables, M

C^(l) is low limit of the controlled variables, C

C^(h) is high limit of the controlled variables, C

ΔM_(j) is dynamic move of manipulated variable, j

ΔM_(j) ⁺ is positive dynamic move of manipulated variable, j

ΔM_(j) ⁻ is negative dynamic move of manipulated variable, j

ΔM_(j) ^(l) is low limit of dynamic move of manipulated variable, j

ΔM_(j) ^(h) is high limit of dynamic move of manipulated variable, j

ΔM_(j) ^(k) is dynamic control move of the manipulated variable M_(j) attime k from now

M_(j) is the optimal steady state target of the manipulated variable, j

M_(j)* is the current value of the manipulated variable, j

Dl_(j) is the current value of disturbance variable, l

D_(l)* is the previous time period value of disturbance variable, l

C_(i)* is the currently predicted steady state value of the controlledvariable

C_(i) based on the recent past process condition

C_(i) is the steady state value as determined by the optimization

C_(i) ^(k) is predicted value of Controlled Variable, C_(i) at k timeinterval from now

C_(i) ^(k ref) is desired value of Controlled Variable, C_(i) at k timeinterval from now, this is further explained below.

C ^(h) _(i) is high limit dynamic violation variables of the ControlledVariable, C_(i)

C ^(l) _(i) is low limit dynamic violation variables of the ControlledVariable, C_(i)

C_(i) ^(k)* is dynamic value of Controlled Variable C_(i)at time k basedon the past process condition

g_(i,j) is the steady state gain of the step response model of theControlled Variable, C_(i) for a unit change in the manipulatedvariable, M_(j)

g_(i,j) ^(k) is the step response coefficient of the process model ofControlled Variable, C_(i) for a unit change in the manipulatedvariable, M_(j)

ΔD_(l) ^(k) is change in D₁ at time k

g_(i,lj) ^(k) is the step response coefficient of the process model ofControlled Variable,

C_(i) for a unit change in said disturbance variable, D_(l)

θ is a permitted tolerance for deviation of the predicted dynamic valueof the controlled variable from its reference path, a small number.

P_(m) is the price value for the manipulated variables, typically anegative value representing cost and a positive value representingbenefit.

P_(c) is the price value for the controlled variables, typically anegative value-representing penalty and a positive value representingbenefit.

P ^(l) _(c) is a large penalty value to be applied for the controlledvariable violating its low limit dynamically

P ^(h) _(c) is a large penalty value to be applied for the controlledvariable violating its high limit dynamically

k relates to future time from now on, k=1 . . . k_(MV) . . . k_(CV)

q relates to future time from 1 . . . q_(FV)

where k_(MV) relates to the control horizon for manipulated variablesmoves, no manipulated variables to be applied beyond this time horizonso as to permit the controlled variables to attain their steady state,

whereas k_(CV) relates to the time to steady state for the controlledvariables, it would be the longest time to steady state for the changesin the manipulated variables, M plus the longest control horizon. Forsimplicity and sake of exposition, it will be assumed that it relates tothe maximum time to steady state considering all of the responses of thecontrolled variables for the changes in all of the manipulated variablesplus the longest of the control horizon of all of the manipulatedvariables,

where q_(FV) is ranged in accordance with future known values

D^(d) is vector of dynamic values of disturbance variables in terms ofits future values, for most part hereon D will be used in place of D^(d)without loss of generality

In the prior invention application by the present inventor, all of thepertinent details relating to the DMPC are fully described and arehereby incorporated fully by reference. Only changes pertinent to thepresent invention will be disclosed and discussed herein.

As per the present invention constraints 2.4 are further modified topermit the avoidance of alarm violation as follows recognizing thatC_(i) ^(k ref) can be modified suitably when dealing with variouscategories of controlled variables, such as equipment limits, productquality limits including deviation of regulatory controlled variablessuch as temperature, pressure etc from their respective set points.−θ+f _(a) ^(l)*(C ^(l) _(a) −C ^(l) _(c))≦C _(i) ^(k) −C _(i) ^(k ref)−C ^(h) _(i) +C ^(l) _(i) ≦θ+f _(a) ^(h)*(C ^(h) _(a) −C ^(h)_(c))  2.4.1Constraints 2.4.1 can be used to set up in a varying manner depending onthe extent of alarm avoidance that is sought. This will be illustratedwith a couple of examples. For product quality related controlledvariables, constraints 2.4.1 can be modified as−θ+f _(a) ^(l) *(C ^(l) _(a) −C ^(l) _(c))+C ^(l) _(c) ≦C _(i) ^(k) −C^(h) _(i) +C ^(l) _(i) ≦θ+f _(a) ^(h)*(C ^(h) _(a) −C ^(h) _(c))+C ^(h)_(c)  2.4.2where

C^(l) _(c) is control low limit

C^(l) _(a) is alarm low limit

C^(h) _(c) is control high limit

C^(h) _(a) is alarm high limit

f_(a) ^(l) is an operator set factor for the low alarm limit in therange (0,1.0)

f_(a) ^(h) is an operator set factor for the high alarm limit in therange (0,1.0)

θ is a small value for numerical tolerance close to zero value

C_(i) ^(k ref) is replaced by C^(l) _(c) at low limit violation and byC^(h) _(c) at high limit violation Constraints 2.4.2 effectively embedsthe alarm limits with the control limits. Since, these constraints areexplicitly incorporated within the combined steady state and dynamicmove control calculation as described above, it provides for a means ofaffecting the controller moves that would avoid the controlled variablesviolation in the vicinity of the alarm limits. The f_(a) ^(l) and f_(a)^(h) essentially set a dead band in the vicinity of the alarm limit andthe control limit that could be used in the alarm avoidance movecalculation. These operator set factors can be changed at any time tovary the extent of alarm avoidance, a smaller value would ensure greateravoidance. Constraints 2.4.2 are termed as Limit Violations Constraints.

In the case of dealing with regulatory control related variables such asreboiler temperature or overhead pressure, constraints 2.4.1 can bemodified as follows−θ+f _(a) ^(l)*(C ^(l) _(d))≦C _(i) ^(k) −C _(i) ^(k ref) −C ^(h) _(i)+C ^(l) _(i) ≦θ+f _(a) ^(h)*(C ^(h) _(d))  2.4.3where

C^(l) _(d) is deviation alarm limit from the desired set point targetC_(i) ^(k ref) on low side

C^(h) _(d) is deviation alarm limit from the desired set point targetC_(i) ^(k ref) on high side

f_(a) ^(l) is an operator set factor for the low deviation alarm limit

f_(a) ^(h) is an operator set factor for the high deviation alarm limit

θ is a small value for numerical tolerance close to zero value

Constraints 2.4.3 are termed herein as Set Point Violation Constraints(or as SP Violations Constraints). It must be noted that for regulatorycontrolled variables constraint 2.4.3 would be additional set ofconstraints in addition to constraints 2.4.2. Thus, in the proposedmethod of alarm avoidance, for regulatory control variables, there wouldbe two sets of constraints namely, Limit Violation Constraints forprotecting against the absolute values such as against maximum reboilertemperature limit and namely SP Violation Constraints for protectingagainst what is generally known in the art as deviations from the setpoint at any time. Deviation alarms are commonly used in the industry toinform the operator of loss of control at the regulatory control levelfor the reasons of control output saturation or dynamic response whichis either too fast or too slow indicating the underlying regulatorycontrol is either too fast or too slow. In a process-upset situation,these deviation alarms come on first followed by the limit violationalarms. As a result in most process-upset situations, too manydeviations alarms come on. These deviations alarms are meant to bemeaningful in a relatively stable operation leading to the controlleroutput saturation etc but not really useful in a process-upsetsituation. In a way in an actual process-upset situation, the deviationalarms are expected and hence the operator does not really need to knowand hence often they are considered as “nuisance alarms”. In Constraints2.4.4, f_(a) ^(l) and f_(a) ^(h) can be relaxed temporarily to suppressdeviation alarms if desired in a process-upset situation.Closed Loop Dynamic Predictive Alarming

Another embodiment of the present invention is in regard to what isdescribed herein as “Closed Loop Dynamic Predictive Alarming” or simply“Predictive Alarming”. That is, alarming in future time. In “PredictiveAlarming”, when a controlled variable is predicted to violate the alarmlimit in closed loop, that violation is alarmed in the sense that theoperator is informed about it. The predictive violation of alarm ismeant to inform the operator that with all of the past control actions,past disturbance variables effects, future control moves and includingfuture scheduled feed forward changes, the controlled variable ispredicted to violate its alarm limit and the extent of violation. Theseviolations can be displayed on the DCS monitor as time based futurevalues in various manner such as graphical display or tabular values.Depending on the mode of operation, the operator can be asked to see ifthe embedded alarm system were allowed to remove or minimize thepredicted violations. Alternatively, if the operator had previouslyauthorized the corrective actions, then the embedded alarm system wouldautomatically go ahead and take corrective actions. The embedded alarmsystem would continue to monitor the predicted violations and ifnecessary take corrective action. At any time, the operator can chooseto suspend the automatic predictive alarm violation correction. In thatcase, the embedded alarm system if required can continue to monitor butnot act. In “Predictive Alarming” mode of operation, the EDACS isworking to move the process away from the predicted alarm violations andreturn process back to the normal control limit operation in a stablecontrolled manner.

For Predictive Alarming, a set of adjunct constraints relating to thecontrolled variables is added in conjunction with the constraints 2.4.−θ+A ^(l) _(a) ≦C _(i) ^(k) −A ^(h) _(i) +A ^(l) _(i) ≦θ+A ^(h)_(a)  2.4.4where additionally,

A^(l) _(a) is alarm low limit

A^(h) _(a) is alarm high limit

A ^(h) _(i) is dynamic violation variables of the Controlled Variable,C_(i) from A^(h) _(a)

A ^(l) _(i) is dynamic violation variables of the Controlled Variable,C_(i) from A^(l) _(a)

θ is a small value for numerical tolerance close to zero value

Both A ^(h) _(i) and A ^(l) _(i) are treated in the same manner as C^(h) _(i) and C ^(l) _(i) albeit with different penalties in themodified objective function as follows.J=P _(m) M+P _(c) C+ΣΣP ^(l) _(c) C ^(l) +ΣΣP ^(h) _(c) C ^(h) +ΣΣp ^(l)_(c) A ^(l) +ΣΣp ^(h) _(c) A ^(h)  1.1.1Where additionally,

p ^(l) _(c) is a large penalty value to be applied for the controlledvariable violating its alarm low limit dynamically

p ^(h) _(c) is a large penalty value to be applied for the controlledvariable violating its alarm high limit dynamically

Thus, with the additional constraints, 2.4.4 and the modified objectivefunction, the DMPC is set up to handle embedded predictive alarming andcorrective action. Since, for most part, in practice, a process isoperated to be within the control limits with the alarm limits set toprotect product quality, equipment, personnel and environment fromprocess upsets and sudden process changes. Therefore, by design, thecontrol limits are contained within the alarm limits. They can be closedbut obviously not same. The difference in these two types of limits is amatter of safety considerations and risk management. However, inaccordance with the present invention, by embedding both these two typesof limits to work seamlessly, explicitly and directly, a much improvedand effective method of managing these two types of limits can beadministered within a plant or production system. The present inventionoffers a novel and unique method of interrelating both these two typesof limits within the framework of advanced control that would not onlycontrol the process more robustly within the control limits, but under aprocess upset situation, it can act appropriately to prevent alarm limitviolations in predictive manner thereby providing a early recoveryactions and thereby prevent environmental impact or product degradationor equipment damage and consequently improve personnel safety.

The method of predictive alarming disclosed above can be made to workwith different level of alarm limits such as Alarm High Limit 304, AlarmHigh High Limit, Alarm High Limit, Alarm Low Limit, Alarm Low Low Limitand so on by including additional constraints of 2.4.4 and includingadditional terms in the objective function 1.1.1 as shown above. Thus itis possible to have a multi-level of alarm limits embedded within themethod alarm control in accordance with the present invention.

In the event of a process-upset situation, in many instances, anadvanced process control system is unable to continue to control theprocess due to the manipulated variables limits constraints. That is tosay, the controller lacks the MV-range to control the process. Or inother words, the optimizer hits an infeasible solution based on itsprediction of the controlled variables future values. Typically, theMV-range is set in accordance with the normal operating rangeexperience, not too wide. However, in a process-upset situation, theMV-range may be too restricting for the advanced controller to continueto control the process. For instance, typically, feed rate range for aprocess unit would be set based on normal operating range conditions,however, in a process-upset situation, it may be necessary to reduce thefeed rate beyond the low control limit. In a prior art MPC, in thiscase, the controller would simply give up and the operator would need tointervene. It would seem that the controller could have handled theprocess upset if only the low control limit of the feed rate wasrelaxed. This is a case in which the prior art MPC could continue toperform if it was not for the ability to relax a manipulated variableconstraint in a process-upset situation. A further embodiment of thepresent invention offers a seamless method of handling process upsetsituations requiring any relaxation of the manipulated variables controllimits up to the alarm limits. Like alarm limits for a controlledvariable, alarm limits for a manipulated variable perform in much thesame way.

As noted in the earlier patent application relating to DMPC, manipulatedvariables have what is considered to be steady state constraints as wellas dynamic moves constraints within the steady state constraints forminga cone like profile. Unlike controlled variables, manipulated variablesconstraints remain strictly binding at all time in that at no time theycan be violated. However, as noted above in a process-upset situation,unless the MV-range is relaxed appropriately, the controller would yieldan infeasible solution and hence not make any further moves. To overcomethis deficiency of the prior art MPC, in the present invention, aprovision is made to relax the MV-range as needed up to the alarm limitsso as continue to control the process beyond its control limits.Therefore, it is envisaged that in a process-upset situation, theEmbedded Dynamic Alarm Control System (EDACS) when finds itself needingto move the manipulated variables outside of the control limit wouldfirst determine the new MV-range, inform the operator, on approval fromthe operator, then use that to recover from the process-upset. Upon,returning to the control limits, as per the present invention, the EDACSwould inform the operator of not needing the alarm limits use. Theoperator then can choose to remove the previously authorized use of theexpanded MV-range. Of course, at any time as per the present invention,the operator would still have the flexibility to control how close tothe alarm limits, he would permit the MV-range to be expanded.

Manipulated Variables Range Relaxation

With this ability of dynamically expand the MV-range up to the alarmlimits, provide for a flexible method of dealing with a varying degreeof process-upset conditions at the full discretion of the operator. Itprovides for a continual use of the EDACS beyond the control limits atthe discretion of the operator in dealing with varying degrees ofprocess-upset situations.

For the above mentioned embodiment of the present invention, constraints2.1 is further modified asM ^(l) _(c) −f _(a) ^(l)*(M ^(l) _(c) −M ^(l) _(a))≦M−M ^(h) _(s) +M^(l) _(s) ≦M ^(h) _(c) +f _(a) ^(h)*(M ^(h) _(a) −M ^(h) _(c))  2.1.1M ¹ _(a) ≦M+M ^(h) _(s) −M ^(l) _(s) ≦M ^(h) _(a)  2.1.2where

M^(h) _(s) is optimizer slack variable for violating high limit withpenalty value

M^(l) _(s) is optimizer slack variable for violating low limit withpenalty value

M^(h) _(c) is high control limit

M^(l) _(c) is low control limit

M^(h) _(a) is high alarm limit

M^(l) _(a) is low alarm limit

f_(a) ^(h) is high control limit relaxation factor

f_(a) ^(l) is low control limit relaxation factor

Constraints 2.1.1 and 2.1.2 provide for operator-controlled relaxationof the control limits pertaining to a manipulated variable in the eventof a process upset situation requiring the EDACS continue to performcontrol actions. In accordance with constraint 2.1.1, under normaloperating condition, both f_(a) ^(l) and f_(a) ^(h) would be zero andM^(h) _(s) and M^(l) _(s) would not be present in the optimizer as slackvariables. In the event of in a process upset situation requiring themanipulated variable range relaxation, it is envisaged that the EDACSwould determine an initial feasible solution with f_(a) ^(l)=1.0 andf_(a) ^(h)=1.0 with both M^(h) _(s) and M^(l) _(s) included in theoptimizer as slack variables with the appropriate penalty values. TheEDACS would determine the value of M^(h) _(s) and M^(l) _(s) indicatingby how much either the high control limit or low control limit need tobe changed. Note that constraints 2.1.2 ensure that at no time the alarmlimits of the manipulated variable is violated in any way. The operatorcan be informed of the new desired limit and upon his approval implementthe new limits. Thus constraints 2.1.1 and 2.1.2 in conjunction with therest of the EDACS provide a method of relaxing the control limits of amanipulated variable to up to its alarm limits under the control of theoperator in a process upset situation.

Controlled Variables Range Relaxation

It is possible that in a severe process-upset situation, the manipulatedvariables control limits relaxation mentioned above might not be enoughin which case ultimately it would be necessary to relax the controlledvariables control limits for steady state. For this, constraints 2.2 ismodified further as followsC ^(l) _(c) +f _(a) ^(l)*(C ^(l) _(a) −C ^(l) _(c))≦C−C ^(h) _(s) +C^(l) _(s) ≦C ^(h) _(c) +f _(a) ^(h)*(C ^(h) _(a) −C ^(h) _(c))  2.2.1C ^(l) _(a) ≦C+C ^(h) _(s) −C ^(l) _(s) ≦C ^(h) _(a)  2.2.2where

C^(h) _(s) is optimizer slack variable for violating high limit withpenalty value

C^(l) _(s) is optimizer slack variable for violating low limit withpenalty value

C^(h) _(c) is high control limit

C^(l) _(c) is low control limit

C^(h) _(a) is high alarm limit

C^(l) _(a) is low alarm limit

f_(a) ^(h) is high control limit relaxation factor

f_(a) ^(l) is low control limit relaxation factor

Constraints 2.2.1 and 2.2.2 are in effect an equivalent form ofconstraints 2.1.1 and 2.1.2 for controlled variables. Therefore, in asevere process-upset situation wherein the control limit relaxation ofthe manipulated variables either not permitted or not possible furtherthen the controlled variables control limits can be relaxed under theoperator's control. Once again the operator can be informed of theextent of relaxation needed to continue control and upon his approvalthen the EDACS would use the relaxed control limits for recovering fromthe upset condition. Like in the manipulated variables control limitrelaxation, the operator can remove the control limit relaxation optionwhen the process recovers.

The alarm limits referred to in the above disclosure of the presentinvention may relate to various level alarm limits such as High Limit,High High Limit, Low Limit, Low Low Limit. Any of these types of alarmlimits can be used without loss of generality. Those skilled in the artwould understand that the alarm limits referred in the above disclosurecan take different values and hence would not be limiting in any way thepresent invention.

Summarizing, in the present invention a three part modification of theEDACS is presented which would be used under different process upsetsituations. This include embedding alarm limits for alarm avoidance,relaxing control limits of both manipulated variables and/or controlledvariables in dealing with a severe process upset situation so as to beable to continue to use the EDACS in assisting the operator to guide theprocess back to the normal control limits operation.

On-Demand Alarm Violation Correction

Another further embodiment of the present invention is described as itrelates to how to handle alarm relating the variables NOT includedwithin the scope of an advanced control system. It is a common practicein the industry that only a sub-set of all process variables areincluded within the scope of an advanced level control system. Variablesmost relevant to the normal operations are the ones, which are obviouslyincluded within the scope of an advanced control system. As per thepresent invention, any and all variables within the scope of the EDACScould have embedded alarm limits as and when appropriate. This raisesthe question what happens to alarm handling of the variables left out ofthe scope of the advanced controller. It is proposed that within theframework of the EDACS and in accordance with the present invention,additional controlled variables and manipulated variables can beinterjected in response to an alarm condition. For instance, when avariable not included within the scope of the EDACS becomes alarmactive, in response to that the operator could be given an option toinclude it within the scope of the EDACS. Assuming that this newvariable was configured appropriately to be included within the scope ofthe EDACS, it is proposed that the variables list be expanded and theembedding of its alarm limit can be performed in real time. This wouldmean that an advanced controller, which would ordinarily would notinclude this additional variable, would have its scope of variablesexpanded to include it and be ready and able to assist the operator inresponse the upset process situation. Thus, the operator would stillhave the continual use of the rest of the advanced control in managingthe process recovery. It is therefore not necessary to shed thecontroller simply because a variable is not ordinarily not included inthe controller but need to be included in a particular process upsetsituation in response to an alarm condition affecting it. Thisembodiment of the present invention is aptly termed as On-demand AlarmViolation Correction.

Use of Asymmetrical Control Action Including Applying Braking Action

As part of embedding alarm control within the advanced control system, afurther embodiment of the present invention relates to application ofaggressive control action in the event of a serious process upsetsituation to restoring the process state to a safe and stable conditionin a timely manner. In another U.S. Patent (U.S. Pat. No. 7,194,318) bythe same inventor, a form of asymmetrical control actions are presentedwhich would permit a varying degree of aggressive control actions whilemaintaining the process stability and integrity in dealing with a severeprocess upset in which the entire operating range of control can bedeployed without unduly restricted by the normal operation tuning orrate of change constraints. One particular form of control action inthis respect is what is characterized as “braking action” in which theprocess is aggressively but safely brought to a safe operating point.Thus, the same advanced control system can be used to steer the processto previously (safe operation) check pointed state. In this respect, theoperator can choose to bring the process to a previously safe operatingstate from the list of previously check pointed safe operation. The mainbenefit of this is that the operator would feel confident that theadvanced control system would apply as necessary aggressive controlaction while maintaining the process safety and product quality controlin recovering from an unsafe and unstable process situation. One keyweakness of prior art MPC is that it operates with symmetrical controlaction in that it will apply same amount of control action irrespectiveof sign of error. Thus, in prior art there is no way to differentiatemagnitude of control action in accordance with sign of violation.Therefore, any increase in aggressive control action for dealing with analarm condition would mean the controller would apply the sameaggressive level of control action on the other side of the violationcausing the process instability. Thus it is not uncommon that prior artMPC is taken off under severe process upset condition. In contrast, whatis really required is asymmetrical form of control without loss of theprocess stability to deal with severe process upset condition. This canbe accomplished by addition of the following constraints.

In accordance with the prior patent by the same inventor (U.S. Pat. No.7,194,318), it is to postulate that all physical systems possess acertain amount of capacity for material and energy holdup. Thus, aphysical system can remain stable within its material and energy holdupcapacity and any imbalances in either material or energy would induceprocess instability. Therefore, in order to keep the process underdynamic stability, the following inequalities be satisfied for a changein state. That is,−ηH _(m) ≦ΣΔF _(i,j) −ΣΔF _(o,k) ≦ηH _(m)  3.1−ηH _(e) ≦ΣΔE _(i,l) −ΣΔE _(o,m) ≦ηH _(e)  3.2where

ΔF_(i,j) is change in in-flow of material from stream j

ΔF_(o,k) is change in out-flow of material from stream k

ΔE_(i,l) is change in in-flow of energy from stream l

ΔE_(i,m) is change in in-flow of energy from stream m

H_(m) is the material holdup capacity of the process

H_(e) is the energy holdup capacity of the process

η is speed of optimization factor

i refers to in-flow

o refers to out-flow

j=1, Number of in-material flows

k=1, Number of out-material flows

l=1, Number of in-energy flows

m=1, Number of out-energy flows

Both (3.1) and (3.2) can be further stated as for all in flows and outflows,−0.5ηH _(m) ≦ΣΔF _(i,j)≦0.5ηH _(m)  3.1.1−0.5ηH _(m) ≦−ΣΔF _(o,k)≦0.5ηH _(m)  3.1.2−0.5ηH _(e) ≦ΣΔE _(i,l)≦0.5ηH _(e)  3.2.1−0.5ηH _(e) ≦−ΣΔE _(o,m)≦0.5ηH _(e)  3.2.2In the same manner, 3.1.1-3.2.2 can be further stated as for eachindividual in/out flow,−0.5ηH _(m) ≦ΔF _(i,j)≦0.5ηH _(m)  3.1.1.1−0.5ηH _(m) ≦−ΔF _(o,k)≦0.5ηH _(m)  3.1.2.1−0.5ηH _(e) ≦ΔE _(i,l)≦0.5ηH _(e)  3.2.1.1−0.5ηH _(e) ≦−ΔE _(o,m)≦0.5ηH _(e)  3.2.2.1

The stability criteria as stated above are not operatively useful. Therestatement below provides a practically useful method of stabledirectional optimization such that,−0.5ηH _(m) +*F _(i,j) ^(l) ≦F _(i,j) ≦*F _(i,j) ^(h)+0.5ηH_(m)  3.1.1.2−0.5ηH _(m) −*F _(o,k) ^(l) ≦−F _(o,k) ≦−*F _(o,k) ^(h)+0.5ηH_(m)  3.1.2.1−0.5ηH _(e) +*E _(k,l) ^(l) ≦E _(k,l) ≦*E _(k,l) ^(h)+0.5ηH_(e)  3.2.1.1−0.5ηH _(e) −*E _(o,k) ^(l) ≦−E _(o,k) ≦−*E _(o,k) ^(h)+0.5ηH_(e)  3.2.2.1−0.5ηH _(m) +Σ*F _(i,j) ^(l) ≦ΣF _(i,j) ≦Σ*F _(i,j) ^(h)+0.5ηH_(m)  3.1.1.1.1−0.5ηH _(m) −Σ*F _(o,k) ^(l) ≦−ΣF _(o,k) ^(h)+0.5ηH _(m)  3.1.2.1.2−0.5ηH _(e) +Σ*E _(k,l) ^(l) ≦ΣE _(k,l) ≦Σ*E _(k,l) ^(h)+0.5ηH_(e)  3.2.1.1.1−0.5ηH _(e) −Σ*E _(o,k) ^(l) ≦−ΣE _(o,k) ≦−Σ*E _(o,k) ^(h)+0.5ηH_(e)  3.2.2.1.2−ηH _(m) +Σ*F _(i,j) ^(l) −Σ*F _(o,k) ^(l) ≦ΣF _(i,j) −ΣF _(o,k) ≦Σ*F_(i,j) ^(h) −Σ*F _(o,k) ^(h) +ηH _(m)  3.3−ηH _(m) +Σ*F _(i,j) ^(l) −Σ*F _(o,k) ^(l) ≦ΣF _(i,j) −ΣF _(o,k) ≦Σ*F_(i,j) ^(h) −Σ*F _(o,k) ^(h) +ηH _(m)  3.4where,

*F_(i,j) ^(l) refers to lowest value of F_(i,j) encountered

*F_(i,j) ^(h) refers to highest value of encountered

The operation of (3.1.1.2) as a representative set is best illustratedgraphically in FIG. 5 a and FIG. 5 b for two situations. In FIG. 5 a,F_(i,j) is increased less than the permitted limit of 0.5ηH_(m) at Time1 and Time 2 as determined by the optimizer due to the competing flowsin (3.1.1.1.1). In FIG. 5 b, a special case of this is shown for thefeed rate to the unit. In this case, the feed rate is the only flowappearing in (3.1.1.1.1) and can be increased to the maximum limit of0.5ηH_(m) by the optimizer if unhindered by any other constraint.However, as the feed rate approaches its final optimal steady state, thelast increase may be less than 0.5ηH_(m). As shown in FIGS. 5 a & 5 b,the high inequality limit in (3.1.1.2) is dynamically expanded while thelow limit remains unchanged. In the opposite situation of what isdepicted in FIGS. 5 a & 5 b, the low limit is dynamically expanded whilethe high limit remains unchanged. Therefore, as the value of F_(i,j)increases or decreases, the appropriate limits are dynamically expandedas an enhanced formulation of MPC. This limit expansion is augmentedwith each step of optimization during each control cycle, as part of areceding horizon control scheme. As a result, all of the inequalityconstraints stated above will be updated dynamically at every controlcycle both individually and collectively. The end effect is that at anytime the optimizer can only push the variables to the nearest limit nomore than 0.5ηH_(m). The inequality limit remains open on the oppositeside, thereby providing a much larger move towards it in the event ifthe variables were to be retracted. As a result, any process variablecan return to its respective initial value unconstrained by 0.5ηH_(m).This is an asymmetrical directional move capability that can be used forthe process to be returned to any prior state (see FIG. 5 c). Forinstance, the optimizer will initially increase the feed rate to theprocess unit progressively with the permitted limit of 0.5ηH_(m).However, in response to an adverse disturbance condition, the optimizerwill cut the feed rate aggressively up to the initial value of the feedrate and subsequently at the constrained rate of 0.5ηH_(m). Thisprovides for asymmetrical control actions by which the EDACS can fullyreverse the dynamic path in response to an adversely disturbed process.In the event the feed rate is aggressively cut, all of the otherstability related variables would also be changed appropriately. As aresult, all of the stability variables can move up or down in unison asthe process moves towards the optimal targets under normal conditions orin response to adverse operating conditions while keeping the processwithin the safe operating limits. Moreover, even under adverse processsituations, the controller will respond without resorting to situationbased tuning changes. For instance, in response to a favorabledisturbance such as increase in calorific value of the fuel gas, theEDACS will progressively push the feed rate to a higher value. However,in response to sudden loss of fuel gas header pressure, it can reducethe feed rate by 50 percent or more without a loss of process stability.In fact, this asymmetrical control action capability allows an EDACS tobe capable of returning the process to any previous feasible and stableoperating point quickly. The asymmetrical control capability can providewhat can be considered as Complete Cycle Control where a process goesthrough startup, normal operation and shutdown. During startup, feedrate is increased to its optimum target gradually while keeping productqualities within the spec, followed by a period of normal operationduring which the feed rate is varied in response to disturbances, andfinally followed by either a planned or unplanned shutdown. Thiscomplete cycle control capability can be adapted to operate a batchprocess e.g. a batch distillation wherein both the heat input and thereflux is gradually increased to the maximum value in accordance anoptimal control policy, followed by a period of constant operation andfinally followed by shutdown also in accordance with an optimal policy.

In accordance with the present invention, a braking action is includedin the inequality constraint of each of the flows involved in materialand energy imbalance to cause them to perform a forced reversal indirection, e.g. Eqn_(3.1.1.2) is modified as−0.5ηH _(m) +*F _(i,j) ^(l) ≦F _(i,j) ≦*F _(i,j) ^(h)+0.5ηH _(m) −b*(F_(i,j) *−*F _(i,j) ^(l))  3.1.1.3where,

b is rate of braking action (i.e. de-acceleration)

F_(i,j)* is current value of F_(i,j)

Thus, for startup and normal operation, b=0, for shutdown 0<b<=1. Thebraking action permits controlled removal of material and energy from aprocess without loss of stability.

As a part of embedded alarm control, the braking action can be invokedfor aggressive but stable recovery actions, which could not be done withthe prior art with its separation of advanced control and alarmmanagement control. The barking action is meant to be used within thecurrent range of the manipulated variables with a varying degree ofaggressive recovery action while keeping the process under stablecondition. The inventive step in this regard is to steer the processtowards previously observed or recognized stable state (check pointedstate) in a deliberate aggressive manner. Further, to recognize thatoperation of a process goes through a cycle involving startup, normaloperation and shutdown. In all these three phases of cycle operation,the process has to remain stable at all time to avoid completebreakdown. It is logical therefore that in response to an alarmsituation, the process needs to backtrack to a previous safe condition.For most part, this means unloading the process of energy and/ormaterial. Thus, a process that is controlled within the constraints ofcontrolled imbalance of material and energy as disclosed in U.S. Pat.No. 7,194,318 by the present inventor, can be managed with varying levelof braking action in response to alarm violations and recovery actionswith embedded alarm control as disclosed herein.

In summary, the present invention offers a novel method of managingalarms in a process within advanced control such that depending on theseverity of a process upset; the advanced control system with embeddedalarm control in accordance with the invention would apply differentlevel of controls. That is,

at the lowest level of process severity where the controlled variablesviolate their alarm limits, the embedded alarm avoidance controldisclosed above would assist in avoiding hitting the alarm limits,

at the next level of process severity where the advanced control isdevoid of adequate manipulated variable range, the manipulated variablerange relaxation disclosed above would assist in both avoiding hittingthe alarm limits and in recovery from the alarm violations,

at the next level of process severity where the advanced control is notlimited by the manipulated variable range but is constrained by thecontrol limits of one or more controlled variables, the controlledvariables limiting can have their control limits relaxed up to the alarmlimits,

at the ultimate level of process severity all of the above level ofembedded alarm control could fail, the operator would deploy emergencyshut down procedure using the braking action.

Contextual Alarming

Another embodiment of the present invention relates to what is describedherein as “Contextual Alarm Control” based on the specific state ofcontrol or lack of control of the process as a whole, its sub-processesand its variables. FIG. 11 depicts the basic steps of the contextualalarm control in collaboration with an operator. The basic premise ofalarming employed is to inform the operator of the varying degree ofloss of control across the process during a process upset so as tocommunicate to him in a meaningful way as to where in the processlacking in control. With the embedded alarm control within an advancedcontrol system as proposed in this invention, a meaningful contextrelating to loss of control over the process can be discerned andcommunicated to the operator both for informing him of the extent andcharacteristics of alarm situation and the various recovery controlactions available from the advanced control system. Furthermore, theoperator can be assisted in his decision as to how to recover byproviding him with the effects of various recovery controls options sothat he would know what to expect and when in the recovery process.

At the very top level of context, when an advanced control system withthe embedded alarm control determines that it can not control theprocess as a whole to all of its control limits in steady state thenclearly an alarming of that to the operator would indicate a cause forconcern. In this context, it would be as disclosed above, the operatorcan be informed of which MV or CV need to be relaxed.

At the next level down, even though the process as a whole is determinedto be controllable to all of its control limits, however, given thevariability of measured and unmeasured disturbances, the process couldexperience dynamic deviation from its control limits and including alarmlimits. Thus, at this level, if a controlled variable is predicted toviolate its control limit but not its alarm limit then there is no causefor concern and hence no need for alarming. Whereas, if the controlledvariable is predicted to violate its alarm limit at future time, eventhough the process as a whole is still controllable to its controllimits in steady state then an alarm indicating this would be meaningfulto the operator. A further variant of this would be to alarm based on asub-process such as regulatory level control.

At the next level down, and the most common form of alarming that isprevalent in the industry as it relates to deviation alarm. A deviationalarm is given when actual value of a process variable deviates from itsset point beyond a set limit. For instance if the furnace outlettemperature deviates higher from its set point by say 5 degree F., thenhigh deviation alarm is given. In a process upset situation, even theprocess would return to normal range later, there could be a number ofdeviation alarms instances in the meantime. In normal operatingenvironment, deviation alarms are therefore considered to be “nuisance”,meaning not really helpful and necessary. Paradoxically, in a processupset situation also the operator would discount deviation alarmsbecause they are considered to be caused by the upset and therefore nothelpful. Once again, a contextual alarming of deviation from set pointcan be done that would minimize “nuisance” alarm and instead giveoperator alarms which would be meaningful in the context of the processupset. In an advanced control system with embedded alarm limits,deviation alarm can be internally filtered so as to alarm only thosedeviations that cannot be controlled either dynamically or in steadystate. An example of this is given in the results presented below,indicating how this can help to reduce the number of deviation alarmssignificantly.

Summarizing, a structured contextual method of alarming can be developedbased on the advanced control with the embedded alarm control in partusing the results of such an advanced control with in part therequirements of the most meaningful actions that an operator can take torecover control that is beyond the advanced control system scope. Inthis way, the contextual alarm control would provide a way to continuecontrol the process in conjunction with the operator actions. Thus,instead of the advanced control system being taken off as in the priorart, as per the invention, the advanced control system can continue toassist the operator during various phases of a process upset and itsrecovery to safe to normal operation. The contextual alarm control willensure that at all time, the advanced control system and the operatorremain engaged during all phases of process operation and control ratherthan have two separate systems. Thus, the advanced control system inaccordance with the present invention would need to be more flexiblethan just do the traditional control function, it should be effectivelyan open system embodying all of the details of the process and itscontrol requirement ranging from the lowest of regulatory control to thehighest level of control such as using braking action to shut down it.Such an advanced control system with such a wide range of control rangeand capabilities can then be used with the embedded alarm control asproposed in the present invention to provide the operator all that isneeded by way of alarming and process management. In other words,instead of needing a system to manage alarm as espoused in thetraditional alarm management system, the embedded alarm control withinthe advanced control system will manage the process in accordance withthe alarming approach and strategy the operator would want and feelcomfortable with (as per the view presented in FIG. 2). An example ofillustration of this embodiment of the present invention is given bycomparison with the prior art in FIG. 12 a through FIG. 14 and furtherdiscussed below.

An example of this embodiment of the present invention demonstratingembedding of alarm control within a dynamic model predicative control ispresent. In FIG. 6 a schematic diagram of a typical DeButanizer processunit is depicted. In FIG. 7 a list of manipulated variables, controlledvariables and feed forward variables is presented. As shown in FIG. 6,the process unit control includes a pressure-regulating loop along withthe rest of control of the unit. A large MPC controller is constitutedto include all of the variables listed in FIG. 7 including thepressure-regulating loop with 10 manipulated variables, 17 controlledvariables and 2 disturbance variables.

As a demonstration of the application of the EDACS of this invention,the alarm limits relating to a total of six controlled variables namelyU8AI_(—)20PV, U8PDI_(—)21PV, U8AI_(—)22PV, U8TIC_(—)03PV, U8PCI_(—)01PVand U8FI_(—)10P will be used. A total 4 cases of comparison is presentedin which all of them have had the same alarm limits. The 4 cases ofcomparison correspond to 4 different ways of controller operation asfollows.

Case 1: In this case, the MPC is of the prior art but with same alarmlimits. As shown in the data presented herein, the controller tuning isnot particularly desirable but illustrates the case of what happens withalarm frequency in the presence of a poorly designed and tunedcontroller (see FIG. 8 a).

Case 2: In this case, the MPC incorporates an improved controllerdesign. This case illustrates how number of alarms can be reducedconsiderably with a better-designed and tuned controller (see FIG. 8 b).

Case 3: In this case, the alarm limits are embedded within an EDACS inaccordance in accordance with the present invention (see FIG. 8 c).

Case 4: In this case, an improvement on Case 3 when the alarm limits aretuned to remove what can be considered as nuisance alarms relating tothe deviations of two regulatory controlled variables namely,U8TIC_(—)03PV, U8PCI_(—)01PV (see FIG. 8 d).

It is clear from the comparison of the above four cases that Case 1presents the most number of alarms in what may be considered as too manyalarms, in excess of 470, clearly not a desirable case at all. Case 2demonstrates that alarm violation pattern can be improved withbetter-designed MPC. Case 3 shows almost 50 percent reductions from Case1 simply from a better-designed controller. Case 4 shows a furtherreduction from case 3 of 90 percent. It shows how the embedding of alarmlimits as proposed as per the present invention. Case 4 shows a furtherreduction over case 3 of almost 99 percent. This shows how thedeviations alarm can be filtered out without loss of control. In factCase 4 can be characterized as being “alarm-free” operation.

Another two cases of alarm response with feed temperature disturbancevariable are shown in FIG. 9 and FIG. 10. FIG. 9 would be a typicalalarm response from a prior art MPC with no embedded alarm control inaccordance with the present invention. FIG. 10 would be a much betterimproved response with almost 90 percent reduction in alarm violation ofthe two product qualities namely, overhead product and bottom productfor the same disturbance in feed inlet temperature as in case of FIG. 9.Again, these comparisons in performance clearly demonstrate thebeneficial impact of the present invention over the prior art.

In FIG. 12 a-14 a comparison of the results of application of thecontextual alarming are shown with the prior art MPC controller andEDACS as per the present invention. In both the cases same alarm limitsare used with the identical process conditions except for thedifferences of the controller. In the case as per the present invention(FIG. 13), the number of raw alarms is significantly less than the priorart (FIG. 12 a), whereas the number of filtered alarm is none. Thecontextual alarming can reduce number of alarms in the case of the priorart, but the most significant improvement is achieved when the embeddedalarm control as proposed in the present invention is used within animproved controller design such as the EDACS. Therefore, it can be saidthat the embedded alarm control within any controller can reduce thenumber of alarms, however, the most significant improvements is realizedwith a better designed and robust controller; that is improved controlmeans reduced alarming. A simple contextual filtering rule ofcontrollability of the pressure control loop was utilized in thisexample.

In summary, the proposed method of embedding alarm limits has thepotential of reducing number of alarms significantly, in the order of90-95 percent compared to otherwise. This would significantly change theway presently alarms are handled within an advanced control system. Ithas the potential of amalgamating the alarm management system with theadvanced control system resulting in improved control for normaloperation as well as under process upset conditions and even under whatis generally referred to in the industry as “Abnormal Situation”.

In summary, the above-disclosed general form of the embedding of alarmlimits within an advanced controller provides a rich variety offormulations that could be used in dealing with a many process-upsetsituations. The design of which would be based on consideration ofjudicious engineering balancing performance against computational timeand complexity.

The optimization problem as described above can be solved with availablesolver today. The more complex and bigger the process is the moredetailed computational steps would be required. For a linear dynamicsystem, a linear programming method of optimization incorporating theformulation as described herein would yield a combined steady state anddynamic control moves results for a model predictive controller. It isenvisaged that for a non-linear dynamical system, appropriate non-linearoptimization method would be employed.

It will be understood by those skilled in the art that variousmodifications and changes may be made to the present invention withoutdeparture from the scope.

1. A method of controlling an operation of a process having a pluralityof independently controlled, manipulated variables, at least onecontrolled variables and none or more disturbance variables comprisingthe steps of: a) determining simultaneously for each of said manipulatedvariables a set number of future dynamic moves along with a futuresteady state value and for each of said controlled variable, a setnumber of predicted future dynamic values along with a future steadystate value in accordance with steady state constraints and dynamicconstraints relating to each of said manipulated variables and saidcontrolled variables including where appropriate in accordance withfuture values relating to each of said disturbance variables; b)embedding alarm controls in a simultaneous dynamic control and steadystate optimization in accordance with varying type of alarmingsituations and aiding operator in recovery actions; and c) performing areceding horizon form of control wherein said control is performed atsuccessive time interval by monitoring and feedback of process responsesresulting from the control actions applied at previous time intervals;wherein said control process further comprises an objective function Jin the form of J=F(M, C, D^(d), M^(d), C^(d))+ΣΣP^(l) _(c)C^(l)+ΣΣP^(h)_(c)C^(h), wherein F is some optimizing function for the process overthe time horizon of time to steady state for said process, M^(d) isdynamic values of manipulated variables over a predetermined timehorizon, M is steady state value of said manipulated variables, C^(d) isdynamic values of controlled variables over a time horizon to steadystate, C is steady state value of said controlled variables, D^(d) is adynamic value vector of said disturbance variables over a time horizonno greater than said time horizon of dynamic values of said manipulatedvariables, and wherein further the process is considered to be a dynamicsystem, and said controlled variables response both in steady state anddynamic is characterized by (C, C^(d))=G(M^(d), D^(d)), P^(l) _(c) is apenalty value to be applied for said controlled variable violating itslow limit dynamically, P^(h) _(c) is a penalty value to be applied forsaid controlled variable violating its high limit dynamically, furtherC^(h) _(i) is high limit dynamic violation variables of said controlledvariables, C_(i) and C^(l) _(i) is low limit dynamic violation variablesof said controlled variables, C_(i), the aforementioned controlvariables penalty relate to either economic criteria and/or safetycriteria depending on the nature and characteristics of said controlledvariable.
 2. The method according to claim 1, wherein said steady stateconstraints compriseM ^(l) ≦M≦M ^(h)C ^(l) ≦C≦C ^(h) Where M is steady state value of said manipulatedvariables C is steady state value of said controlled variables M^(l) islow limit of said manipulated variables, M M^(h) is low limit of saidmanipulated variables, M C^(l) is low limit of said controlledvariables, C C^(h) is high limit of said controlled variables, C.
 3. Themethod according to claim 1, wherein said dynamic manipulated variablesconstraints compriseM ^(l≦M) ^(d) ≦M ^(h)−ΔM _(j) ^(l) ≦ΔM _(j) ≦ΔM _(j) ^(h)0≦ΔM _(j) ⁺ ≦ΔM _(j) ^(h)0≦ΔM _(j) ⁻ ≦ΔM _(j) ^(l)ΔM _(j) =ΔM _(j) ⁺ −ΔM _(j) ⁻−(1/k)ΔM _(j) ^(l) ≦ΔM _(j) ^(k)≦(1/k)ΔM _(j) ^(h) for k=1 . . . k _(MV)where ΔM_(j) ¹=M_(j) ¹−M_(j)* where M_(j)* being Current Value of M_(j)ΔM_(j) is dynamic move of manipulated variable, j ΔM_(j) ⁺ is positivedynamic move of manipulated variable, j ΔM_(j) ⁻ is negative dynamicmove of manipulated variable, j ΔM_(j) ^(l) is low limit of dynamic moveof manipulated variable, j ΔM_(j) ^(h) is high limit of dynamic move ofmanipulated variable, j ΔM_(j) ^(k) is dynamic control move of saidmanipulated variable M_(j) at time k from now M_(j) is optimal steadystate value of said manipulated variable M_(j)* is current value of saidmanipulated variable, j.
 4. The method according to claim 1, whereinsaid dynamic constraints of said controlled variables compriseC _(i) ^(l) <=C _(i) ^(k) <=C _(i) ^(h)−θ≦C _(i) ^(k) −C _(i) ^(k ref) −C ^(h) _(i) +C ^(l) _(i)≦θ0≦ C ^(h) _(i)0≦ C ^(l) _(i) where C_(i) ^(k) is predicted value of said ControlledVariable i at k time interval from now C_(i) ^(l) is low limit saidControlled Variable i, C_(i) ^(h) is high limit said Controlled Variablei, C_(i) ^(k ref) is desired value of said Controlled Variable i, C_(i)at k time interval from now, C ^(h) _(i) is high limit dynamic violationvariables of said Controlled Variable i, C_(i) C ^(l) _(i) is low limitdynamic violation variables of said Controlled Variable i, C_(i) C_(i)^(k)* is dynamic value of said Controlled Variable C_(i) at time k basedon the past process condition θ is a permitted tolerance for deviationof the predicted dynamic value of said controlled variable from itsreference path, a small number k relates to future time from now on, k=1. . . k_(MV) . . . k_(CV) k_(MV) relates to the control horizon formanipulated variables moves, no manipulated variables moves to beapplied beyond this time horizon so as to permit said controlledvariables to attain their steady state, k_(CV) relates to the time tosteady state for said controlled variables, it would be the longest timeto steady state for the changes in said manipulated variables.
 5. Themethod according to claim 1, wherein the optimizing function, F (M, C,D, M^(d), C^(d)) is P_(m)M+P_(c)C devoid of effects of dynamic values ofsaid manipulated variables and said controlled variable on optimizingfunction F( ), where P_(m) is the price value for said manipulatedvariables, typically a negative value representing cost and a positivevalue representing benefit, P_(c) is the price value for said controlledvariables, typically a negative value-representing penalty and apositive value representing benefit.
 6. The method according to claim 1,wherein the controlled variables dynamic response, (C, C^(d))=G(M^(d),D^(d)) is one of linear dynamic form represented asC_(i)=C_(i)*+Σg_(i,j)(M_(j)−M_(j)*) for steady state, and as C_(i)^(k)=C_(k) ^(k)*+ΣΣg_(i,j) ^(k)ΔM_(j) ^(k)+ΣΣg_(i,l) ^(q)ΔD_(l) ^(q) fordynamic response Where C_(i)* is the currently predicted steady statevalue of said controlled variable based on past changes in saidmanipulated variables and said disturbance variables C_(i) is the steadystate value of said controlled variables C_(i) ^(k) is predicted valueof said Controlled Variable, C_(i) at k time interval from now C_(i)^(k)* is dynamic value of said Controlled Variable C_(i) at time k basedon the past process condition g_(i,j) is the steady state gain of thestep response model of said Controlled Variable, C_(i) for a unit changein said manipulated variable, M_(j) g_(i,j) ^(k) is the step responsecoefficient of the process model of Controlled Variable, C_(i) for aunit change in said manipulated variable, M_(j) ΔD_(l) ^(q) is change inD_(l) at time q g_(i,l) ^(q) is the step response coefficient of theprocess model of Controlled Variable, C_(i) for a unit change in saiddisturbance variable, D_(l.) k relates to future time from now on, k=1 .. . k_(MV) . . . k_(CV) q relates to future time from 1 . . . q_(FV)where k_(MV) relates to the control horizon for manipulated variablesmoves, no manipulated variables to be applied beyond this time horizonso as to permit said controlled variables to attain their steady state,whereas k_(CV) relates to the time to steady state for said controlledvariables, it would be the longest time to steady state for the changesin the manipulated variables, M plus the longest control horizon, itwill be assumed that it relates to the maximum time to steady stateconsidering all of the responses of said controlled variables for thechanges in all of the manipulated variables plus the longest of thecontrol horizon of all of the manipulated variables, where q_(FV) isranged in accordance with future known values.
 7. The method accordingto claim 1, wherein said embedding alarm controls additionallycomprises; when relating to product quality controlled variables thefollowing constraint is added to said simultaneous dynamic control andsteady state optimization,−θ+f _(a) ^(l)*(C ^(l) _(a) −C ^(l) _(c))+C ^(l) _(c) ≦C _(i) ^(k) −C^(h) _(i) +C ^(l) _(i) ≦θ+f _(a) ^(h)*(C ^(h) _(a) −C ^(h) _(c))+C ^(h)_(c) where, C^(l) _(c) is control low limit C^(l) _(a) is alarm lowlimit C^(h) _(c) is control high limit C^(h) _(a) is alarm high limitf_(a) ^(l) is an operator set factor for the low alarm limit in therange (0,1.0) f_(a) ^(h) is an operator set factor for the high alarmlimit in the range (0,1.0) θ is a small value for numerical toleranceclose to zero value C_(i) ^(k ref) is replaced by C^(l) _(c) at lowlimit violation and by C^(h) _(c) at high limit violation.
 8. The methodaccording to claim 1, wherein said embedding alarm controls additionallycomprises; when one of said controlled variables is predicted to violatethe alarm limit in closed loop, the following constraint is added tosaid simultaneous dynamic control and steady state optimization forcorrection,−θ+A ^(l) _(a) ≦C _(i) ^(k) −A ^(h) _(i) +A ^(l) _(i) ≦θ+A ^(h) _(a)where additionally, A^(l) _(a) is alarm low limit A^(h) _(a) is alarmhigh limit A ^(h) _(i) is dynamic violation variables of said controlledvariable, C_(i) from A^(h) _(a) A ^(l) _(i) is dynamic violationvariables of said controlled variable, C_(i) from A^(l) _(a) θ is asmall value for numerical tolerance close to zero value Both A ^(h) _(i)and A ^(l) _(i) are treated in the same manner as C ^(h) _(i) and C ^(l)_(i) albeit with different penalties in the modified objective functionas followsJ=P _(m) M+P _(c) C+ΣΣP ^(l) _(c) C ^(l) +ΣΣP ^(h) _(c) C ^(h) +ΣΣp ^(l)_(c) A ^(l) +ΣΣp ^(h) _(c) A ^(h) Where additionally, p ^(l) _(c) is alarge penalty value to be applied for said controlled variable violatingits alarm low limit dynamically p ^(h) _(c) is a large penalty value tobe applied for said controlled variable violating its alarm high limitdynamically.
 9. The method according to claim 1, wherein said embeddingalarm controls additionally comprises; when responding to severe processupset requiring dynamic expansion of said manipulated variables thefollowing constraint is added to said simultaneous dynamic control andsteady state optimization,M ^(l) _(c) −f _(a) ^(l)*(M ^(l) _(c) −M ^(l) _(a))≦M−M ^(h) _(s) +M^(l) _(s) ≦M ^(h) _(c) +f _(a) ^(h)*(M ^(h) _(a) −M ^(h) _(c))M ^(l) _(a) ≦M+M ^(h) _(s) −M ^(l) _(s) ≦M ^(h) _(a) where M^(h) _(s) isoptimizer slack variable for violating high limit with penalty valueM^(l) _(s) is optimizer slack variable for violating low limit withpenalty value M^(h) _(c) is high control limit M^(l) _(c) is low controllimit M^(h) _(a) is high alarm limit M^(l) _(a) is low alarm limit f_(a)^(h) is high control limit relaxation factor f_(a) ^(l) is low controllimit relaxation factor.
 10. The method according to claim 1, whereinsaid embedding alarm controls additionally comprises; when responding tosevere process upset requiring dynamic expansion of said controlledvariables limits the following constraint is added to said simultaneousdynamic control and steady state optimization as follows,C ^(l) _(c) +f _(a) ^(l)*(C ^(l) _(a) −C ^(l) _(c))≦C−C ^(h) _(s) +C^(l) _(s) C ^(h) _(c) +f _(a) ^(h)*(C ^(h) _(a) −C ^(h) _(c))C ^(l) _(a) ≦C+C ^(h) _(s) −C ^(l) _(s) ≦C ^(h) _(a) where C^(h) _(s) isoptimizer slack variable for violating high limit with penalty valueC^(l) _(s) is optimizer slack variable for violating low limit withpenalty value C^(h) _(c) is high control limit C^(l) _(c) is low controllimit C^(h) _(a) is high alarm limit C^(l) _(a) is low alarm limit f_(a)^(h) is high control limit relaxation factor f_(a) ^(l) is low controllimit relaxation factor.
 11. The method according to claim 1, whereinsaid embedding alarm controls additionally comprises: when a processvariable not currently included within the scope of said simultaneousdynamic control and steady state optimization violates its alarm limitthen said violating variable is included within the scope of saidsimultaneous dynamic control and steady state optimization in real timewith its embedded alarm limits in accordance with the method of alarmingdesired in order to perform on-demand alarm violation correction. 12.The method according to claim 1, wherein said embedding alarm controlsadditionally comprises: a method of Contextual Alarming and recoveryactions to aid said operator in recovery actions comprising of thesteps: alarming when said simultaneous dynamic control and steady stateoptimization can not find a feasible steady state solution and providingassistance to said operator in recovery action in regard to the extentof relaxation of either said manipulated variables high/low controllimits within high/low alarm limits or controlled variables high/lowcontrol limits within high/low alarm limits; alarming when saidcontrolled variable's control limits or alarm limits are violateddynamically in closed loop prediction and providing assistance to saidoperator in elimination or mitigation of said predicted dynamicviolations; alarming when regulatory controllers related said controlledvariables deviation in the context of predicted steady stateinfeasibility and/or predicted closed loop dynamic violation of one ormore said controlled variables; and assisting said operator in directingsaid process to a previously known safe operating state involving avarying degree of braking action that would remove any one of energy andmaterial.
 13. A method of embedding alarm control within a modelpredictive controller of a process having a plurality of independentlymanipulated variables, at least one controlled variable and disturbancevariables, said method comprising the steps of: devising a method ofsteady state optimization and dynamic control within said modelpredictive controller that generates simultaneously for each of saidmanipulated variables, a set number of future dynamic moves along with afuture steady state value, and for each of said controlled variables, aset of predicted future dynamic values and a future steady state valuein accordance with steady state constraints and dynamic constraints foreach of said manipulated variables and controlled variable includingwhere appropriate in accordance with future values of said disturbancevariables; embedding additionally alarm control within said method ofoptimization and control by modifying said steady state and dynamicconstraints of said manipulated variables and controlled variables inaccordance with varying alarming situations and aiding an operator inrecovery actions; and performing a receding horizon form of controlwherein said optimization and control is performed at successive timeintervals by monitoring and feedback of the process responses resultingfrom the manipulated variables dynamic move applied at previous timeintervals.
 14. The method of embedded alarm control of claim 13, whereinsaid step of embedding of alarm control further comprising the steps of:modifying said constraints relating to said controlled variables inaccordance with an extent and type of alarm avoidance being sought bythe operator which for non-regulatory controlled variables constituteviolations of low and high limits and for regulatory controlledvariables constitute violations of low and high limits of deviation froma set point of said low and high limits; and applying a method of closedloop dynamic predictive alarming or simply predictive alarming when acontrolled variable is predicted to violate the alarm limits in futuretime.
 15. The method of embedded alarm control of claim 14, wherein saidlow and high alarm limit violation further comprising an operator setparameter to affect the extent of alarm avoidance.
 16. The method ofembedded alarm control of claim 13, wherein said step of aiding anoperator in recovery actions further comprises one or more of the steps:relaxing manipulated variables low and high limits range; relaxingcontrolled variables low and high limits range; doing on-demand alarmviolation correction; applying asymmetrical control action employingbraking action; and performing contextual alarming, depending on theseverity of the predicted alarm limits violations.
 17. The method ofembedded alarm control of claim 16, wherein said manipulated variableslimit range relaxing further include an extension of a normal operatinglimit range of said manipulated variables limit range to determine afeasible optimization and control solution that is necessary andadequate to achieve a desired recovery action.
 18. The method ofembedded alarm control of claim 16, wherein said relaxing controlledvariables limit range further include extending of the limits range inconjunction with and in limitation of said manipulated variables limitrange relaxation.
 19. The method of embedded alarm control of claim 16,wherein said doing on-demand alarm correction relates to a method ofalarm control for the variables that are not currently within the scopeof the optimization and control but are in the state of alarm violationcomprising the steps of: expanding dynamically the list of variables inthe controller; and embedding the variables' alarm limits to aid theoperator in recovery actions.
 20. The method of embedded alarm controlof claim 16, wherein said applying asymmetrical control action relatesto a method of employing braking actions that is capable of steering theprocess to a previously known safe operating state based on a controlledremoval of material and energy from the process under supervision of theoperator across the entire process or part of the process; and whereinsaid performing contextual alarming relates to a method of aiding theoperator in recovery action based on the varying degree of loss ofcontrol across the process during a process upset situation whichconstitutes a multi-level top down control starting with saidmanipulated variables range relaxation, said controlled variables rangerelaxation, said on-demand alarm violation correction and saidasymmetrical control action employing braking action.